|Publication number||US8171287 B2|
|Application number||US 10/598,719|
|Publication date||May 1, 2012|
|Filing date||Mar 10, 2005|
|Priority date||Mar 10, 2004|
|Also published as||EP1743448A2, US20070192608, WO2005084100A2, WO2005084100A3|
|Publication number||10598719, 598719, PCT/2005/30, PCT/BR/2005/000030, PCT/BR/2005/00030, PCT/BR/5/000030, PCT/BR/5/00030, PCT/BR2005/000030, PCT/BR2005/00030, PCT/BR2005000030, PCT/BR200500030, PCT/BR5/000030, PCT/BR5/00030, PCT/BR5000030, PCT/BR500030, US 8171287 B2, US 8171287B2, US-B2-8171287, US8171287 B2, US8171287B2|
|Inventors||Agostinho de Arruda Villela|
|Original Assignee||DNABOLT, Inc|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (20), Referenced by (16), Classifications (40), Legal Events (2)|
|External Links: USPTO, USPTO Assignment, Espacenet|
The present invention is related to the identification and authorization for service access for computational devices or devices with computational resources (a “Device”). In particular, the present invention is applicable to sensitive and confidential information access, such as bank account information access by means of the Internet, secure access to web pages for commercial transactions (e-commerce), corporate Intranet access to confidential information, etc.
The prior art describes several security related devices and configurations applicable to access and operation through the Internet. Security needs have to be constantly revised in face of the increasing sophistication of resources used to bypass security systems and fraud electronic access to Internet banking and e-commerce. In countries such as the United States of America, the high efforts and investments made to thwart criminal actions performed by hackers precisely illustrate the importance of guaranteeing user-friendly secure online transactions. Many online and Internet operations use sophisticated security procedures which are based on high levels of complexity in an attempt to guarantee the security in accessing online services which involve private or confidential information. However, this increased complexity results in difficulties posed to legitimate users in accessing such services. This, in its turn, results in a lower-than-optimum level of adherence, by users, to existing forms of online services.
Other apparently more rigorous security schemes, such as those offered on online banking websites are examples of what was explained above. Those services behave as if only the user could visualize and/or access the service. Authentication processes based solely on the user (i.e. user/password) are susceptible to password tracking. The univocal correspondence between a user and his password eases fraud, either by password cloning or by cloning accessed webpages.
As an example of the technique, the Irish invention no. 83221 refers to a means of uniquely identifying computers and systems. The invention, on the other hand, is able to create signatures that identify a device using only logical information and, jointly with the univocal framework and related processes that constitute it, it proposes a security system able to complement or substitute traditional authentication procedures. Although signatures or the idea of using extended positivation scheme for computational devices have existed for a long time, the invention's uniqueness relies on its process, i.e., its client/server architecture conceived to complement or substitute usual authentication systems.
Therefore, what is claimed in document no. 83221 involves the creation of an unique signature for a device (where a device stands for a processor or a processor set composing a network) based on response time statistical distribution and other measurements for physical identification of the devices, used for purposes that may or may not be applicable for conventional authentication schemes. The identification process proposed in this document also uses some logical techniques, however, unlike the invention, these techniques are used as a complement. The logical techniques proposed in the document 83221 do suffice for the creation of a unique identification for a device. Although it is possible to create or compliment an authentication procedure from the process described in document 83221, that is not its intention, and, moreover, its contents do not consider, directly, the creation of a similar process.
This is also what happens with Microsoft's publication titled: PRODUCT ACTIVATION FOR WINDOWS XP-TECHNICAL MARKET BULLETIN. This publication describes validation methods of Windows XP computer program that aim to avoid illegal copies (piracy) or even fraudulent product purchase. The configurations proposed for these methods also have a univocal characteristic, of some complexity for the ordinary user, who would be inhibited to practice fraudulent actions.
The present invention is a technology used to substantially improve the security involved in an authentication process to access an Internet page, an Intranet page, or any other type of computer server or computer-based service that requires secure authentication. Any of these services will be cited hereinafter as a “SERVICE”. The authentication process includes a process coupled to the hardware and software configuration profile of a device, resulting in a unique signature. This signature will be referenced from now on as “SIGNATURE”.
Whenever a user tries to access a SERVICE that is using the invention for authentication, the SIGNATURE resulting from the configuration of the device from where the user is attempting to use the SERVICE is verified and compared to a list of authorized device SIGNATURES. If the current device's SIGNATURE matches one of the previously registered SIGNATURES, the user is allowed to access the SERVICE. If not, the user will either be directed to extended positivation or will be denied access to the SERVICE, depending on the previously chosen security options. In case the user is submitted to extended positivation, if his identification is successful, access to the SERVICE will be granted and the user will be given the option to include the present device in the list of authorized SIGNATURES for his account. If the identification is not successful, the user will not be allowed to access the SERVICE.
The invention can be used as a complementary authentication process to another existing authentication process (i.e an authentication method based on user/password pair) as to improve its security level. This may be used, typically, to access less sensitive applications, such logging onto a web portal or ISP.
It is important to stress that the invention is capable of performing this identification without need for any other hardware or software components, such as smart cards, identification cards, etc. Therefore, the invention allows the recognition of a device SIGNATURE simply from its usual hardware and software components.
This document will offer a more in-depth description of possible applications of the invention, however, any application of same described herein is offered as an example, and should not be construed as a limitation to the scope of the claims.
The present invention was conceived to operate in a distributed computational environment that can be implemented by means of the Internet or in an internal computational network. It is composed of three basic components:
a) A Software Agent;
b) An Authentication Server; and
c) A network-available SERVICE which requires authentication.
The Software Agent is a program that can discover hardware and software asset information from a Device. It is a key component to obtain the data that will compose the Device's SIGNATURE. The Software Agent needs to be installed or downloaded and installed (preferably by using web distribution techniques that are able to download and execute a program in a single step, such as, ActiveX or a browser plug-in), by means of the Internet or an internal network, in order to start the SIGNATURE identification process.
The Authentication Server is a server that receives a SIGNATURE from a Software Agent, compares it to a set of authorized SIGNATURES and authorizes or not access to a SERVICE. The Authentication Server needs to be connected by means of an internal network or the Internet to the device submitted to SIGNATURE recognition, in order to allow the identification process to work properly. It is, therefore, an online authentication system.
The Authentication Server has both an interactive and a storage function. It interacts with the Software Agent and the SERVICE providing access authentication. Besides, it works as a repository of the registered SIGNATURES as much as storing the access attempt history (successful or not) of each SERVICE user.
The SERVICE is an Internet page, Intranet page or other type of computational server or computational service that requires secure authentication. The invention complements other authentication methods or security procedures already utilized by the SERVICE, as a pre-identification. For example, it may be used to deny the use of the SERVICE from a device whose SIGNATURE is not registered and recognized, even though another preidentification process could be successfully accomplished by means of other coexistent authentication processes (for instance, deny access even if user/password pair are correct).
The operation and method of the present invention is illustrated by the steps described below:
1) A user tries to access a SERVICE submitted to the invention's authentication. As the invention can coexist with other authentication processes, the user may be submitted to other authentication or complementary security procedures, as a pre-identification, whenever necessary. Typical pre-identification processes are: username/password pair, verifying authorized IP address ranges, answering specific questions, systems that protect against “software robots”, etc.
2) If the user has not registered any device SIGNATURE before the invention yet, the user will be led to a web page or software window that explains how the invention works and tells that the user will be submitted to a registering process immediately afterwards.
3) Once the user agrees to use the invention, he or she must allow the SOFTWARE AGENT download and execution on his device, unless this has already occurred. This step must be repeated for each device that needs to be submitted to the invention's authentication process.
4) Once the SOFTWARE AGENT is installed on the user's device, the invention will identify its SIGNATURE and submit it for registration with the SERVICE. Typically, the first registration does not require rigorous authentication.
The SIGNATURE is made from data sampled from the device's hardware and software components. The SIGNATURE will identify the device without the need of any supplementary identification device, such as a smart card.
The device's identification is done by detecting and identifying essential hardware and software components of the device. The invention allows that some of these components undergo incremental changes without modifying the device's SIGNATURE. However, if the device has undergone deep modifications, its SIGNATURE will be changed. This means that the device will be considered as a new device and will not be recognized by the SERVICES accessed before then. In this case, the user has to register the new device SIGNATURE. It is also important to clarify that changes of components that are not considered to be essential may be done without affecting the SIGNATURE.
The SIGNATURE is composed of a group of information hashes extracted from hardware and software components. These hashes cannot be reversed to recompose the information used to make the SIGNATURE, preserving, this way, user privacy and security. It is recommendable that, at each transaction, the hashes be grouped in a different way and submitted to several levels of cryptography. This procedure protects the system even more against anyone who attempts to intercept the communication between the user device and the Authentication Server and tries, by simply reproducing the transmitted data, to pretend to be the original device.
5) If the user tries to access the SERVICE from a device that was not previously registered (provided that there was at least one device previously registered), the invention will allow the access only after applying an extended positivation (i.e. specific questions besides the username/password pair). If the answers are correct, the user will be allowed to access the SERVICE, with the option to register (or not) the present device's SIGNATURE, according to the configuration previously chosen. If the identification fails, the user will not be allowed to access the SERVICE.
6) Whenever necessary, the user may delete the SIGNATURES registered in his account. It is recommended that the SIGNATURE deletion process be always done from a device considered to be more secure and trustable, which is, typically, a device registered in the account before the one to be deleted. This way, the user can only delete a given SIGNATURE if it is using a device whose SIGNATURE had been registered BEFORE the SIGNATURE being deleted. It is also recommendable that the oldest SIGNATURE can be deleted only from the device it was originally created.
7) Once the user keeps accessing the page regularly by means of the invention, it will be able to provide past information about all access or access attempts performed upon the user account. This historical information will remain stored even if the user decides to deactivate, even though temporarily, the usage of the system of the present invention.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US5552776 *||Jun 24, 1994||Sep 3, 1996||Z-Microsystems||Enhanced security system for computing devices|
|US6148401 *||Nov 19, 1997||Nov 14, 2000||At&T Corp.||System and method for providing assurance to a host that a piece of software possesses a particular property|
|US6330588 *||Dec 21, 1998||Dec 11, 2001||Philips Electronics North America Corporation||Verification of software agents and agent activities|
|US6477645 *||Feb 3, 1999||Nov 5, 2002||Intel Corporation||Authority and integrity check in systems lacking a public key|
|US7117528 *||Oct 24, 2002||Oct 3, 2006||Microsoft Corporation||Contested account registration|
|US20010044896 *||Mar 5, 2001||Nov 22, 2001||Gil Schwartz||Authentication technique for electronic transactions|
|US20020083339 *||Dec 22, 2000||Jun 27, 2002||Blumenau Steven M.||Method and apparatus for preventing unauthorized access by a network device|
|US20020184385 *||Apr 24, 2001||Dec 5, 2002||Saul Kato||Apparatus and method for communicating information to portable computing devices|
|US20030055931 *||Sep 18, 2001||Mar 20, 2003||Cravo De Almeida Marcio||Managing a remote device|
|US20030084306 *||Jun 27, 2001||May 1, 2003||Rajasekhar Abburi||Enforcement architecture and method for digital rights management system for roaming a license to a plurality of user devices|
|US20030208569 *||Apr 13, 2001||Nov 6, 2003||O'brien Michael D||System and method for upgrading networked devices|
|US20040003266 *||Mar 20, 2003||Jan 1, 2004||Patchlink Corporation||Non-invasive automatic offsite patch fingerprinting and updating system and method|
|US20040039921 *||Oct 17, 2001||Feb 26, 2004||Shyne-Song Chuang||Method and system for detecting rogue software|
|US20050076096 *||Dec 5, 2000||Apr 7, 2005||Mitsuhiro Nishibe||Registering device and method, information processing device and method, providing device and method, and program storage medium|
|US20050133582 *||Dec 22, 2003||Jun 23, 2005||Bajikar Sundeep M.||Method and apparatus for providing a trusted time stamp in an open platform|
|US20050149730 *||Dec 31, 2003||Jul 7, 2005||Selim Aissi||Multi-authentication for a computing device connecting to a network|
|US20050166053 *||Jan 28, 2004||Jul 28, 2005||Yahoo! Inc.||Method and system for associating a signature with a mobile device|
|US20060200856 *||Mar 2, 2005||Sep 7, 2006||Salowey Joseph A||Methods and apparatus to validate configuration of computerized devices|
|IE20429A1||Title not available|
|WO2004023275A2 *||Aug 28, 2003||Mar 18, 2004||Matsushita Electric Industrial Co., Ltd.||Group management system, group management device, and member device|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US8726407||Oct 13, 2010||May 13, 2014||Deviceauthority, Inc.||Authentication of computing and communications hardware|
|US8818897 *||Dec 15, 2005||Aug 26, 2014||Rockstar Consortium Us Lp||System and method for validation and enforcement of application security|
|US8819814 *||Apr 13, 2007||Aug 26, 2014||United Services Automobile Association (Usaa)||Secure access infrastructure|
|US8898450||Jun 13, 2012||Nov 25, 2014||Deviceauthority, Inc.||Hardware identity in multi-factor authentication at the application layer|
|US9047450||Jun 10, 2010||Jun 2, 2015||Deviceauthority, Inc.||Identification of embedded system devices|
|US9047458||May 20, 2010||Jun 2, 2015||Deviceauthority, Inc.||Network access protection|
|US9143496||Jun 10, 2013||Sep 22, 2015||Uniloc Luxembourg S.A.||Device authentication using device environment information|
|US9160715 *||Feb 24, 2014||Oct 13, 2015||Fujitsu Limited||System and method for controlling access to a device allocated to a logical information processing device|
|US9286466||Mar 15, 2013||Mar 15, 2016||Uniloc Luxembourg S.A.||Registration and authentication of computing devices using a digital skeleton key|
|US9338152 *||Aug 15, 2012||May 10, 2016||Uniloc Luxembourg S.A.||Personal control of personal information|
|US20100241690 *||Mar 20, 2009||Sep 23, 2010||Microsoft Corporation||Component and dependency discovery|
|US20100325704 *||Jun 10, 2010||Dec 23, 2010||Craig Stephen Etchegoyen||Identification of Embedded System Devices|
|US20100325710 *||May 20, 2010||Dec 23, 2010||Etchegoyen Craig S||Network Access Protection|
|US20110093703 *||Oct 13, 2010||Apr 21, 2011||Etchegoyen Craig S||Authentication of Computing and Communications Hardware|
|US20130055357 *||Aug 15, 2012||Feb 28, 2013||Uniloc Luxembourg S.A.||Personal control of personal information|
|US20140298444 *||Feb 24, 2014||Oct 2, 2014||Fujitsu Limited||System and method for controlling access to a device allocated to a logical information processing device|
|U.S. Classification||713/168, 710/14, 726/28, 710/11, 726/12, 713/169, 726/3, 726/2, 713/191, 726/29, 726/27, 726/17, 726/4, 713/182, 726/13, 705/57, 713/170, 705/51, 726/14, 726/5, 726/11, 710/10, 705/59, 726/1, 710/5|
|International Classification||G06F21/00, H04L9/32, H04L29/06|
|Cooperative Classification||G06F21/73, H04L2209/56, H04L63/104, G06F21/31, H04L9/3247, G06F21/445, H04L63/12|
|European Classification||H04L9/32S, G06F21/31, G06F21/44A, G06F21/73, H04L63/10C|
|Apr 20, 2011||AS||Assignment|
Owner name: DNABOLT, INC., GEORGIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:VILLELA, AGOSTINHO DE ARRUDA;REEL/FRAME:026155/0723
Effective date: 20110310
|Oct 30, 2015||FPAY||Fee payment|
Year of fee payment: 4